25 Security Configuration

This chapter describes how to create users, groups, and roles for use in Oracle Service Bus inbound security and administrative security.

Inbound transport-level security and message-level security use the user, group, and role data to authenticate inbound client requests. It applies access control policies to determine which authenticated users are authorized to use proxy services and business services.

You cannot export users, groups, or roles when you export a configuration because these objects are located in security provider stores. You must create these objects again when you import the exported configuration or use WebLogic Server tools (if available) to export and import them.

25.1.1 Users

Users are entities that can be authenticated. A user can be a person or a software entity, such as a Web Services client. You must give each user a unique identity (name) within a security realm.

Typically, the users that you create fall into two categories:

Client users who can access your proxy services or business services.

If you create a large number of client users, consider organizing them into security groups.

Administrative users who can use the Oracle Service Bus Administration Console to create or modify proxy services, business services, and other Oracle Service Bus resources.

Oracle Service Bus uses role-based security for its administrative functions. Instead of giving access privileges directly to users, Oracle Service Bus gives administrative privileges only to security roles. To give administrative privileges to a user, you place the user in one of the default security groups, which is in one of the pre-defined security roles.

25.1.2 Groups

To facilitate administering a large number of users, you can organize users into named groups. Then, instead of giving access privileges or role identities to individual users, you give privileges or identities to groups.

25.1.2.1 Administrative Security Groups

Oracle Service Bus provides default security groups to facilitate giving users access to administrative functions such as creating proxy services. Each group is in one of the pre-defined Oracle Service Bus security roles that have been granted administrative privileges.

25.1.3 Roles

A security role is an identity that can be granted to a user or group based on conditions in the runtime environment. When you create access control policies, you can grant access to a role, group, or user.

For example, you can create two of your groups, MyCustomersEast and MyCustomersWest. You create a security role named PrivilegedCustomer and create conditions so that the MyCustomersWest group is in the role from 8am to 8pm EST, while the MyCustomersEast group is in the role from 8pm to 8am EST. Then you create an access control policy for a proxy service that gives the PrivilegedCustomer role access to the service. Different users will have access at different times depending on whether they are in the MyCustomersEast and MyCustomersWest group.

25.1.3.1 Administrative Security Roles

Oracle Service Bus provides four, pre-defined security roles (plus four pre-defined roles from WebLogic Server) that give administrative privileges. You cannot change the access privileges for the Oracle Service Bus administrative security roles, but you can change the conditions under which a user or group is in one of the roles.

For more information about these roles and the privileges available for each role, see "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

25.1.4 Access Control Policies

An access control policy specifies conditions under which users, groups, or roles can access a proxy service. For example, you can create a policy that always allows users in the GoldCustomer role to access a proxy service and that allows users in the SilverCustomer role to access the proxy service only after 12pm on weeknights.

For all proxy services, you can create a transport-level policy, which applies a security check when a client attempts to establish a connection with the proxy service. Only requests from users who are listed in the transport-level policy are allowed to proceed.

A message-level access control policy applies a security check when a client attempts to invoke a proxy service with message-level security. You can create a message-level access control policy in the following cases:

For proxy services that are active Web Service security intermediaries

For proxy services that have message level custom authentication

Only users who are listed in the message-level policy are allowed to invoke the operation.

25.1.5 Security Configuration Data and Sessions

Users, groups, and roles are persisted in security providers, which are not governed by Oracle Service Bus sessions. Therefore, you can create or modify this data when you are in or out of a session. Any additions or modifications to this data take effect immediately and are available to all sessions. If you discard a session in which you added or modified the data, the security data is not discarded.

Access control policies are persisted in authorization providers. And there is now a reference to them in the Oracle Service Bus repository.

Access control policies are managed within an Oracle Service Bus design session and not outside the session. Because the changes are made within a session, you can commit or discard the changes as with other resources.

Although ACLs can be managed from the Oracle Service Bus Administration Console, you can change policies outside Oracle Service Bus. However, changing policies outside of Oracle Service Bus can make the reference in Oracle Service Bus out-of-date and invalid.

Therefore, for consistent management, either completely manage ACLs outside of Oracle Service Bus sessions (using the authorization provider MBeans or third-party authorization provider tools) or completely manage them from within Oracle Service Bus sessions. Any combination of the two approaches can result in an inconsistent view of policies.

25.3 Adding Users

To add users:

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

Select Security Configuration to display the Summary of Users page.

Click Add New to display the Create a New User - General Configuration page.

You can add a user from inside or outside a session.

In the User Name field, enter a unique name. This is a required field.

In the Password field, enter a password. This is a required field.

Note:

Authentication providers can impose a minimum password length. For a user defined in the WebLogic Authentication provider, the default minimum password length is 8 characters. You can customize this setting using the WebLogic Server Administration Console. (The WebLogic Authentication provider is configured in the default security realm with the name DefaultAuthenticator.)

In the Confirm Password field, enter the same password you entered for the Password field. This is a required field.

In the Authentication Provider field, select the authentication provider for this user.

If multiple authentication providers are configured in the security realm, they will appear in the list. Select the authentication provider database that should store information for the new user.

In the Group Membership field, select a group for this user.

Select a group from the Available Groups field.

Click the arrow to move the group into the Current Groups field.

Click Save to create the user.

Oracle Service Bus Administration Console saves the user and the user becomes available immediately to all sessions. If you are in a session when you add the user and then you discard the session, Oracle Service Bus Administration Console does not delete the new user.

25.4 Editing Users

Use the View User Details page to view and change details of a specific user.

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

Make the appropriate changes to the New Password, Confirm Password, and Group Membership fields. See Section 25.3, "Adding Users" for descriptions of the fields.

You cannot change the User Name field.

Click Save Changes to update the user.

Oracle Service Bus Administration Console updates the user details and the update becomes available immediately to all sessions. If you are in a session when you update the user and then you discard the session, Oracle Service Bus Administration Console does not delete the updates.

25.5 Deleting Users

Use the Summary of Users page to delete a selected user or multiple users.

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

Select Security Configuration to display the Summary of Users page.

Select the user you want to delete. You can select multiple users if necessary.

You can delete a user from inside or outside a session.

Click Delete. A message prompting you to confirm that you want to delete the user is displayed.

To delete the user, click OK.

Oracle Service Bus Administration Console deletes the user. If you are in a session when you delete the user and then you discard the session, Oracle Service Bus Administration Console does not delete the updates.

Alternatively, you can click the Delete icon in the Options column of the user you want to delete.

25.7 Adding Groups

To add groups:

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

In the Authentication Provider field, select the authentication provider.

In the Group Membership field, select a group to which this group belongs.

Select a group from the Available Groups field.

Click the arrow to move the group into the Current Groups field.

Click Save to create the group.

Oracle Service Bus Administration Console saves the group and the group becomes available immediately to all sessions. If you are in a session when you add the group and then you discard the session, Oracle Service Bus Administration Console does not delete the new group.

25.8 Editing Groups

Use the View Group Details page to view and change details of a specific group.

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

Oracle Service Bus Administration Console updates the group details and the update becomes available immediately to all sessions. If you are in a session when you update the group and then you discard the session, Oracle Service Bus Administration Console does not delete the updates.

25.9 Deleting Groups

Use the Summary of Groups page to delete a selected group or multiple groups.

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

Select Security Configuration to display the Summary of Groups page.

Select the group you want to delete. You can select multiple groups if necessary.

You can delete groups from inside or outside a session.

Click Delete. A message prompting you to confirm that you want to delete the group is displayed.

To delete the group, click OK.

Oracle Service Bus Administration Console deletes the group. If you are in a session when you delete the group and then you discard the session, Oracle Service Bus Administration Console does not un-delete the group.

Alternatively, you can click the Delete icon in the Options column of the group you want to delete.

25.11 Adding Roles

To add roles:

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

In the Role Name field, enter a unique name. This is a required field.

Be sure that there are no spaces or < > characters in the security role name. Security role names are case sensitive. The Oracle convention is that all security role names are singular.

To create the role, click OK.

Oracle Service Bus Administration Console saves the role and the role becomes available immediately to all sessions. If you are in a session when you add the role and then you discard the session, Oracle Service Bus Administration Console does not delete the new role.

When you click OK to create the role, the next step is to define the conditions under which the role applies.

25.11.1 Defining Role Conditions

On the Global Roles page, click the name of the new global role to display the Global Role Conditions page.

Under Role Conditions, click Add Condition.

The following prompt is displayed:

Choose the predicate you wish to use as your new condition

Choose a predicate from the list box. Typically, you choose Group. When a group is used to create a security role, the security role can be granted to all members of the group (that is, multiple users).

Click Next. Depending on what you chose for your condition predicate, do one of the following steps, described in Table 25-6.

Table 25-6 Condition Predicate Options

Condition Predicate...

Complete These Steps...

If you selected Group, enter one or more arguments that define the group or groups that should hold this role

In the Group Argument Name field, enter an argument that defines the group.

Click Add.

If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.

Click Finish.

If you selected User, enter one or more arguments that define the user or users that should hold this role

In the User Argument Name field, enter an argument that defines the user.

Click Add.

If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.

Click Finish.

If you selected Server is in development mode, Allow access to everyone or Deny access to everyone

Click Finish.

If you selected a time-constrained predicate such as Access occurs between specified hours, select start and end times and a GMT offset

In the Starting Time field, enter the earliest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.

In the Ending Time field, enter the latest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.

In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.

Click Finish.

If you selected Context element defined, enter a context element name

In the Context element name field, enter the name of the context element.

Click Finish.

If you selected Context element's value equals a numeric constant, Context element's value is greater than a numeric constant, or Context element's value is less than a numeric constant, enter a context element name and a numeric value to compare it against

In the Context element name field, enter the name of the context element the value of which is to be evaluated.

In the Numeric Value field, enter a numeric value.

Click Finish.

If you selected Context element's value equals a string value, enter a context element name and a string value to compare it against

In the Context element name field, enter the name of the context element the value of which is to be evaluated.

In the String Value field, enter the string value that you want to compare.

Click Finish.

If you selected a time-constrained predicate such as Access occurs before or Access occurs after

In the Date field, enter a date in the format mm/dd/yy. For example, enter 1/1/04. You can add an optional time in the format hh:mm:ss AM|PM. For example, you can enter 1/1/04 12:45:00 AM.

Click Finish.

If you selected the time-constrained predicate Access occurs on specified days of the week, select the day of the week and a GMT offset

In the Day of week field, enter the day of the week.

In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.

Click Finish.

If you selected a time-constrained predicate such as Access occurs on a specified day of the month, Access occurs before a specified day of the month, or Access occurs after a specified day of the month

In the Day of the Month field, enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.

In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.

Click Finish.

If necessary, repeat the steps to add expressions based on different role conditions. In the Role Conditions section, you can do the following steps, described in Table 25-7, to modify the expressions.

Table 25-7 Role Conditions Options

To...

Complete These Steps...

Change the ordering of the selected expression.

Click Move Up and Move Down.

Merge or unmerge role conditions and switch the highlighted andor statements between expressions.

Click Combine and Uncombine.

Make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.

Click Negate.

Delete a selected expression.

Click Remove.

When all the expressions in the Role Conditions section are correct, click Save.

To end the session and deploy the configuration to the runtime, click Activate under Change Center.

25.12 Editing Roles

Use the View Role Details page to view and change details of a specific role.

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

Merge or unmerge role conditions and switch the highlighted andor statements between expressions.

Click Combine and Uncombine.

Make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.

Click Negate.

Delete a selected expression.

Click Remove.

Click Save.

Oracle Service Bus Administration Console updates the role and the update becomes available immediately to all sessions. If you are in a session when you update the role and then you discard the session, Oracle Service Bus Administration Console does not delete the updates.

25.13 Deleting Roles

To delete roles:

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

Select the role you want to delete. You can select multiple roles if necessary.

You can delete roles from inside or outside a session.

Click Delete. A message prompting you to confirm that you want to delete the role is displayed.

To delete the role, click OK.

Oracle Service Bus Administration Console deletes the role. If you are in a session when you delete the role and then you discard the session, Oracle Service Bus Administration Console does not un-delete the role.

25.14 Locating Access Control Policies

The Security page provides a link to the access control policies for a proxy service in the current Oracle Service Bus domain.

This page lists does not list proxy services that you have created in session but have not yet activated. To edit access control policies for a new proxy service, first activate the session in which you created the proxy service.

To locate the access control policies for a new proxy service, activate the session in which you created the proxy service.

In the Access Control column select the name of the proxy service from Transport Access Control, or the name of the proxy service or a particular operation from Message Access Control.

25.15 Editing Transport-Level Access Policies

Use the View Policy Details page to edit the transport-level access control policy of a proxy service. The page displays the information shown in Table 25-10.

Table 25-10 Policy Details

Property

Description

Proxy Service Name

Displays the name of the proxy service name for which you selected Transport Access Control on the Security page.

Providers

Displays the authorization providers that are configured for the security realm.

Policy Conditions

Displays the conditions that determine for which users the proxy service will process requests.

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

When you have finished entering conditions in the Policy Conditions section, click Save.

25.16 Editing Message-Level Access Policies

Use the View Policy Details page to edit the message-level access control policy of a proxy service that is a Web Service and is configured to require message-level security. The page displays the information shown in Table 25-11.

Table 25-11 Policy Details

Property

Description

Proxy Service Name

Displays the name of the proxy service name for which you selected View Policies on the Access Control for Proxy Services page.

Providers

Displays the authorization providers that are configured for the realm.

Operation

Lists the operation in the proxy service that can be secured.

Policy Conditions

Displays the conditions that determine which users can invoke the operations that are selected under Service Operations.

Log in to the Oracle Service Bus Administration Console as a user with WebLogic Server Admin privileges. Only users in the Admin role can modify security configuration data. See "Configuring Administrative Security" in the Oracle Fusion Middleware Developer's Guide for Oracle Service Bus.

Click Next. Depending on what you chose for your condition predicate, do one of the following steps, shown in Table 25-12.

Table 25-12 Condition Predicate Options

If You Selected...

Complete These Steps...

Role

(For transport-level security, this condition applies only if the proxy service uses a protocol that enables a client to supply credentials.)

In the Role Argument Name field, enter the role to which you want to grant access.

If you have not already created the role that you entered in this field, you can do so after you finish creating access control policies. See Section 25.11, "Adding Roles." If you do not create this role, then no one will be granted access.

Click Add.

If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.

Do one of the following:

To save the arguments and return to the predicate list, click Finish.

To discard the changes and return to the predicate list, click Back.

To discard the changes and return to the View Policy Details page, click Cancel.

Group

(For transport-level security, this condition applies only if the proxy service uses a protocol that enables a client to supply credentials.)

In the Group Argument Name field, enter the group to which you want to grant access.

If you have not already created the group that you entered in this field, you can do so after you finish creating access control policies. See Section 25.7, "Adding Groups." If you do not create this group, then no one will be granted access.

Click Add.

If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.

Do one of the following:

To save the arguments and return to the predicate list, click Finish.

To discard the changes and return to the predicate list, click Back.

To discard the changes and return to the View Policy Details page, click Cancel.

User

(For transport-level security, this condition applies only if the proxy service uses a protocol that enables a client to supply credentials.)

In the User Argument Name field, enter the user to which you want to grant access.

If you have not already created the user that you entered in this field, you can do so after you finish creating access control policies. See Section 25.3, "Adding Users." If you do not create this user, then no one will be granted access.

Click Add.

If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.

Do one of the following:

To save the arguments and return to the predicate list, click Finish.

To discard the changes and return to the predicate list, click Back.

To discard the changes and return to the View Policy Details page, click Cancel.

Access occurs on specified days of the week

In the Day of week field, enter the day of the week.

In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.

Do one of the following:

To save the arguments and return to the predicate list, click Finish.

To discard the changes and return to the predicate list, click Back.

To discard the changes and return to the View Policy Details page, click Cancel.

Access occurs between specified hours

In the Starting Time field, enter the earliest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.

In the Ending Time field, enter the latest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.

In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.

Do one of the following:

To save the arguments and return to the predicate list, click Finish.

To discard the changes and return to the predicate list, click Back.

To discard the changes and return to the View Policy Details page, click Cancel.

Access occurs before or Access occurs after

In the Date field, enter a date in the format mm/dd/yy. For example, enter 1/1/04. You can add an optional time in the format hh:mm:ss AM|PM. For example, you can enter 1/1/04 12:45:00 AM.

In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.

Do one of the following:

To save the arguments and return to the predicate list, click Finish.

To discard the changes and return to the predicate list, click Back.

To discard the changes and return to the View Policy Details page, click Cancel.

Access occurs on a specified day of the month, Access occurs before a specified day of the month, or Access occurs after a specified day of the month

In the The day of the month field, enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.

In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.

Do one of the following:

To save the arguments and return to the predicate list, click Finish.

To discard the changes and return to the predicate list, click Back.

To discard the changes and return to the View Policy Details page, click Cancel.

Context element's value equals a string constant

(Applies only to transport-level security. A context element is a parameter/value pair that a container such as a Web container can optionally provide to a security provider. Context elements are not available for message-level access control policies.)

In the String Value field, enter the string value that you want to compare.

Do one of the following:

To save the arguments and return to the predicate list, click Finish.

To discard the changes and return to the predicate list, click Back.

To discard the changes and return to the View Policy Details page, click Cancel.

Context element's value is greater than a numeric constant, Context element's value equals a numeric constant, or Context element's value is less than a numeric constant

(Applies only to transport-level security. A context element is a parameter/value pair that a container such as a Web container can optionally provide to a security provider. Context elements are not available for message-level access control policies.)

To discard the changes and return to the View Policy Details page, click Cancel.

Context element defined

(Applies only to transport-level security. A context element is a parameter/value pair that a container such as a Web container can optionally provide to a security provider. Context elements are not available for message-level access control policies.)

To discard the changes and return to the View Policy Details page, click Cancel.

Deny access to everyone, Allow access to everyone or Server is in development mode

Click Finish.

Alternatively, you can click Cancel to discard the changes and return to the View Policy Details page.

If necessary, repeat steps 3-5 to add expressions based on different policy conditions. In the Policy Conditions section, you can do the following steps, shown in Table 25-13, to modify the expressions.

Table 25-13 Policy Conditions Options

To...

Complete These Steps...

Change the ordering of the selected expression.

Select the check box associated with the condition, then click Move Up and Move Down.

Merge or unmerge policy conditions and switch the highlighted andor statements between expressions.

Select the check box associated with the appropriate conditions, then click Combine and Uncombine.

Make a condition negative; for example, NOT Group Operators excludes the Operators group from the policy.

Select the check box associated with the condition, then click Negate.

Delete a selected expression.

Select the check box associated with the condition, then click Remove.